CVE-2023-41895 – This Cross-site Scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2023-41895?

CVE-2023-41895 has a CVSS score of 8.8 (HIGH). This Cross-site Scripting (XSS) vulnerability in Home Assistant allows attackers to execute arbitrary JavaScript on the administration page by exploiting improper validation of redirect URIs. Attackers can use this to fully compromise Home Assistant accounts and installations. All Home Assistant users with versions before 2023.9.0 are affected.

📋 TL;DR

This Cross-site Scripting (XSS) vulnerability in Home Assistant allows attackers to execute arbitrary JavaScript on the administration page by exploiting improper validation of redirect URIs. Attackers can use this to fully compromise Home Assistant accounts and installations. All Home Assistant users with versions before 2023.9.0 are affected.

💻 Affected Systems

Products:

Home Assistant Core

Versions: All versions before 2023.9.0

Operating Systems: All platforms running Home Assistant

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Home Assistant installations with web interface enabled.

📦 What is this software?

Home Assistant by Home Assistant

View all CVEs affecting Home Assistant →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full account takeover leading to complete control of the Home Assistant installation, potentially enabling further attacks on connected smart home devices and systems.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized access to home automation controls.

🟢

If Mitigated

Limited impact with proper network segmentation and strong authentication controls, though XSS could still expose sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (clicking malicious link) but exploitation is straightforward once the malicious page is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.9.0 and later

Vendor Advisory: https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv

Restart Required: Yes

Instructions:

1. Backup your Home Assistant configuration. 2. Update Home Assistant to version 2023.9.0 or later via the Supervisor panel or command line. 3. Restart Home Assistant to apply the update.

🔧 Temporary Workarounds

No workarounds available

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

Restrict network access to Home Assistant web interface using firewall rules to only trusted IP addresses.
Implement strong authentication controls and monitor for suspicious login attempts.

🔍 How to Verify

Check if Vulnerable:

Check your Home Assistant version in the Configuration > Info panel or run 'ha core info' in the terminal.

Check Version:

ha core info | grep 'version'

Verify Fix Applied:

Confirm version is 2023.9.0 or higher in the Configuration > Info panel.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts
Suspicious redirect patterns in web logs

Network Indicators:

HTTP requests containing javascript: scheme in redirect parameters

SIEM Query:

web_requests WHERE url CONTAINS 'javascript:' AND destination_ip = [HOME_ASSISTANT_IP]

📊 Metadata

CVE ID: CVE-2023-41895

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: October 19, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv Vendor Advisory
https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41895, you might also want to check these: